connect with us

On XACML’s Adequacy to Specify and to Enforce HIPAA

Omar Chowdhury, The University of Texas at San Antonio; Haining Chen, Purdue University; Jianwei Niu, The University of Texas at San Antonio; Ninghui Li and Elisa Bertino, Purdue University

Abstract:

In the medical sphere, personal and medical information is collected, stored, and transmitted for various purposes, such as, continuity of care, rapid formulation of diagnoses, and billing. Many of these operations must comply with federal regulations like the Health Insurance Portability and Accountability Act (HIPAA). To this end, we need a specification language that can precisely capture the requirements of HIPAA. We also need an enforcement engine that can enforce the privacy policies specified in the language. In the current work, we evaluate eXtensible Access Control Markup Language (XACML) as a candidate specification language for HIPAA privacy rules. We evaluate XACML based on the set of features required to sufficiently express HIPAA, proposed by a prior work. We also discuss which of the features necessary for expressing HIPAA are missing in XACML. We then present high level designs of how to enhance XACML’s enforcement engine to support the missing features.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.